Statistics
| Branch: | Tag: | Revision:

root / kvm-vif-bridge @ f6f980d5

History | View | Annotate | Download (4.3 kB)

1
#!/bin/bash
2

    
3
# This is an example of a Ganeti kvm ifup script that configures network
4
# interfaces based on the initial deployment of the Okeanos project
5

    
6
TAP_CONSTANT_MAC=cc:47:52:4e:45:54 # GRNET in hex :-)
7
MAC2EUI64=/usr/bin/mac2eui64
8
NFDHCPD_STATE_DIR=/var/lib/nfdhcpd
9

    
10
function routed_setup_ipv4 {
11
	# get the link's default gateway
12
	gw=$(ip route list table $TABLE | sed -n 's/default via \([^ ]\+\).*/\1/p' | head -1)
13

    
14
	# mangle ARPs to come from the gw's IP
15
	arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle >/dev/null 2>&1
16
	arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$gw"
17

    
18
	# route interface to the proper routing table
19
	while ip rule del dev $INTERFACE; do :; done
20
	ip rule add dev $INTERFACE table $TABLE
21

    
22
	# static route mapping IP -> INTERFACE
23
	ip route replace $IP proto static dev $INTERFACE table $TABLE
24

    
25
	# Enable proxy ARP
26
	echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp
27
}
28

    
29
function routed_setup_ipv6 {
30
	# Add a routing entry for the eui-64
31
	prefix=$(ip -6 route list table $TABLE | awk '/\/64/ {print $1; exit}')
32
	uplink=$(ip -6 route list table $TABLE | sed -n 's/default via .* dev \([^ ]\+\).*/\1/p' | head -1)
33
	eui64=$($MAC2EUI64 $MAC $prefix)
34

    
35
	while ip -6 rule del dev $INTERFACE; do :; done
36
	ip -6 rule add dev $INTERFACE table $TABLE
37
	ip -6 ro replace $eui64/128 dev $INTERFACE table $TABLE
38
	ip -6 neigh add proxy $eui64 dev $uplink
39

    
40
	# disable proxy NDP since we're handling this on userspace
41
	# this should be the default, but better safe than sorry
42
	echo 0 > /proc/sys/net/ipv6/conf/$INTERFACE/proxy_ndp
43
}
44

    
45
# pick a firewall profile per NIC, based on tags (and apply it)
46
function routed_setup_firewall {
47
	ifprefix="synnefo:network:$INTERFACE_INDEX:"
48
	for tag in $TAGS; do
49
		case ${tag#$ifprefix} in
50
		protected)
51
			chain=protected
52
		;;
53
		unprotected)
54
			chain=unprotected
55
		;;
56
		limited)
57
			chain=limited
58
		;;
59
		esac
60
	done
61

    
62
	# Flush any old rules. We have to consider all chains, since
63
	# we are not sure the instance was on the same chain, or had the same
64
	# tap interface.
65
	for oldchain in protected unprotected limited; do
66
		iptables  -D FORWARD -o $INTERFACE -j $oldchain 2>/dev/null
67
		ip6tables -D FORWARD -o $INTERFACE -j $oldchain 2>/dev/null
68
	done
69

    
70
	if [ "x$chain" != "x" ]; then
71
		iptables  -A FORWARD -o $INTERFACE -j $chain
72
		ip6tables -A FORWARD -o $INTERFACE -j $chain
73
	fi
74
}
75

    
76
function routed_setup_nfdhcpd {
77
	umask 022
78
	cat >$NFDHCPD_STATE_DIR/$INTERFACE <<EOF
79
IFACE=$1
80
IP=$IP
81
MAC=$MAC
82
LINK=$TABLE
83
HOSTNAME=$INSTANCE
84
TAGS="$TAGS"
85
EOF
86
}
87

    
88
function reset_ebtables {
89
  TAP=$INTERFACE
90
  FROM=FROM${TAP^^}
91
  TO=TO${TAP^^}
92
  
93
  ebtables -D INPUT -i $TAP -j $FROM
94
  ebtables -D FORWARD -i $TAP -j $FROM
95
  ebtables -D FORWARD -o $TAP -j $TO
96
  ebtables -D OUTPUT -o $TAP -j $TO
97
  
98
  ebtables -X $FROM
99
  ebtables -X $TO
100
}
101

    
102
function set_ebtables {
103
  TAP=$INTERFACE
104
  FROM=FROM${TAP^^}
105
  TO=TO${TAP^^}
106

    
107
  ebtables -N $FROM
108
  ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP
109
  ebtables -A $FROM -s \! $MAC -j DROP 
110
  ebtables -A INPUT -i $TAP -j $FROM 
111
  ebtables -A FORWARD -i $TAP -j $FROM 
112
  ebtables -N $TO
113
  ebtables -A FORWARD -o $TAP -j $TO
114
  ebtables -A OUTPUT -o $TAP -j $TO
115
  #accept dhcp responses from host (nfdhcpd)
116
  ebtables -A $TO -p ipv4 --ip-protocol=udp  --ip-destination-port=68 -j ACCEPT
117
  if [ $TYPE == "private" ]; then 
118
    ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP 
119
    if [ ! -z $GATEWAY ]; then 
120
      ebtables -A $TO -s $ROUTER_MAC -j ACCEPT 
121
    fi
122
  fi
123
}
124

    
125
#FIXME: import router mac from the config files
126
#       must know node group!! how???
127
ROUTER_MAC=6e:10:e1:a0:c3:0f
128
MAC_MASK=ff:ff:ff:0:0:0
129

    
130
TABLE=rt_$NETWORK
131

    
132
source /var/lib/snf-network/networks/$NETWORK
133

    
134

    
135
if [ "$MODE" = "routed" ]; then
136
	# special proxy-ARP/NDP routing mode
137

    
138
	# use a constant predefined MAC address for the tap
139
	ip link set $INTERFACE addr $TAP_CONSTANT_MAC
140
	# bring the tap up
141
	ifconfig $INTERFACE 0.0.0.0 up
142

    
143
	# Drop unicast BOOTP/DHCP packets
144
	iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP 2>/dev/null
145
	iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP
146

    
147
	routed_setup_ipv4
148
	routed_setup_ipv6
149
	routed_setup_firewall
150
	routed_setup_nfdhcpd $INTERFACE
151
  reset_ebtables
152
elif [ "$MODE" = "bridged" ]; then
153
  while ip rule del dev $INTERFACE; do :; done
154
	ifconfig $INTERFACE 0.0.0.0 up
155
	brctl addif $BRIDGE $INTERFACE
156
	routed_setup_nfdhcpd $BRIDGE
157
  reset_ebtables
158
  set_ebtables
159
fi